The fix merged to master https://review.opendev.org/c/openstack/nova/+/324720
** Changed in: nova Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1552042 Title: Host data corruption through nova inject_key feature Status in OpenStack Compute (nova): Fix Released Status in OpenStack Security Advisory: Incomplete Bug description: Reported by Garth Mollett from Red Hat. The nova.virt.disk.vfs.VFSLocalFS has measures to prevent symlink traversal outside of the root of the images directory but it does not prevent access to device nodes inside the image itself. A simple fix should be to mount with the 'nodev' option. Under certain circumstances, the boot process will fold back to VFSLocalFS when trying to inject the public key, for libvirt: * when libguestfs is not installed or can't be loaded. * use_cow_images=false and inject_partition for non-nbd * for loopback mount at least, there is a race condition to win in virt/disk/mount/api.py between kpartx and a /dev/mapper/ file creation: os.path.exists can run before the path exists even though it's there half a second later. The xenapi is also likely vulnerable, though untested. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1552042/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp